SolarWinds Web Help Desk Hardcoded Credential Vulnerability
CVE-2024-28987 affects SolarWinds Web Help Desk (WHD). According to the provided content, the flaw is a hardcoded credential vulnerability in WHD that allows a remote unauthenticated user to access internal functionality and modify data. The issue is described in multiple references as a critical hardcoded login credential bug in SolarWinds Web Help Desk.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept Python exploit for CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk. The main script, 'cve-2024-28987.py', uses a hardcoded HTTP Basic Authorization header to authenticate to the SolarWinds Web Help Desk API. It retrieves up to 25 of the most recent help desk tickets (due to an API limitation), fetches full details for each ticket, and saves the results in a structured directory format. The script also analyzes ticket IDs to estimate the total number of tickets in the system. Output is organized into JSON files for summaries and detailed ticket data. The exploit is network-based, targeting the API endpoints '/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets' and '/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/{ticket_id}' on the victim system. The repository includes a README with usage instructions and a LICENSE file. The exploit does not provide a shell or code execution, but enables unauthorized access to sensitive ticket data via the exposed API.
This repository contains a proof-of-concept exploit for CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk. The main file, CVE-2024-28987.py, is a Python script that takes a target URL as input and attempts to retrieve helpdesk tickets from the target by sending an HTTP GET request to the /helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets endpoint. The request uses a hardcoded HTTP Basic Authorization header, exploiting the vulnerability to gain unauthorized access to ticket data. The script prints the retrieved tickets if successful, or indicates if the target is likely not vulnerable. The repository also includes a README.md with usage instructions and background information. No additional payloads or post-exploitation actions are present; the exploit is limited to reading ticket data. The attack vector is network-based, requiring access to the target's web interface.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical SolarWinds Web Help Desk vulnerability referenced in related links; the main content does not describe its mechanics, but indicates it is considered critical and associated with public PoC discussion in the linked/related material.
A critical hardcoded login credential vulnerability in SolarWinds Web Help Desk.
A SolarWinds Web Help Desk vulnerability fixed in 2024 that was reportedly leveraged by attackers after disclosure (exact technical impact not specified in the provided content).
Unknown (mentioned only as a related/previously reported SolarWinds Web Help Desk vulnerability, without details in this content).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.